Wednesday, 13 November 2019

On 02:49 by admin   No comments


In the previous years of targeted attack mode, ransomware saw the possibility of success.Small and medium-sized enterprises are still the main target of ransomware because of their security budget and skills constraints.Whether it's for employees' phishing attacks or forcibly extorting with unsafe RDP, ransomware is as effective as ever.include:

1.Emotet–Trickbot–Ryuk(“Three in One Threat”):

In terms of economic losses, this is the most successful combination of 2019.They shifted their focus more to reconnaissance operations.A value is assigned after infecting the target network, and then the ransom of the amount is sent after moving and deploying the ransomware laterally.

2. Trickbot / Ryuk:

In the first half of 2019, Emotet was provided with a secondary payload, and Ryuk infection, usually spread by Trickbot, caused large-scale encryption of the entire network.

3. Dridex / Bitpaymer:

Dridex is not only an implant in the Bitpaymer ransomware infection chain, but also a secondary payload of Emotet.

4. GandCrab:

The most successful example of RaaS (ransomware as a service) to date, software makers claim a combined profit of more than $2 billion.

5. Sodinokibi– Sodin / REvil:

This combination was created after GandCrabstopped updating.For ransomware that has been successful before, it is not uncommon to try to start a new ransomware and get a lot of attention and success again.(Soyinokibi code is similar to GandCrab and is considered the "heir" of GandCrab ransomware)

Crysis / Dharma:

The ransomware has been on the "most notorious malware" list for the second year, and the malware has been distributed multiple times in the first half of 2019, and almost all of the observed infections have passed RDP.


In 2019, the complexity and credibility of email-based malware activity increased dramatically.Phishing activities ave become more personal, and ransomware has done fraud with a leaked password.The phishing attacks include:

1. Enterprise invasion:

The biggest security risks for enterprises are usually employees rather than a distant hacker.In 2019, it turned out that the lack of security habits of employees (including re-use and shared passwords, as well as piracy using applications such as Microsoft, Facebook, Apple, Google and PayPal) had a serious impact on security.

2. Enterprise Email Intrusion (BEC):

In 2019, the frequency of email address hijacking and deep forgery attacks increased.The employees responsible for payment and purchase of gift cards have become the target of attack. The attackers mainly initiate email intrusion by counterfeiting corporate executives or acquaintances, and induce the victims to click and abandon the corresponding certificates and gift cards.


The botnet is still the dominant force in the chain of infection attacks.No other type of malware can provide so many ransomware or crypto-currency mining payloads like botnets.The most notorious three botnets include:

1. Emotet:

As the most popular malware in 2018, it still dominated in 2019.Although it disappeared in June, it reappeared in September, becoming the largest botnet that provides a variety of malicious payloads.

2. Trickbot:

Trickbot's modular infrastructure poses a serious threat to any network it infects.Its combination with Ryuk ransomware is one of the more devastating targeted attacks of 2019.

3. Dridex:

Dridex is one of the most famous banking Trojans and is now used by Bitpaymer ransomware as an implant in the infection chain.

Encryption and encryption hijacking

From 2017 to 2018, the explosive growth of encrypted hijacking sites has disappeared, but crypto-currencies are not.Because of the low risk, guaranteed funds, and the less damage caused by ransomware and less profit, encrypted mining hijacking is still active.The 2019 mining hijacking attack includes:

1. Hidden Bee:

A vulnerability that provides crypto-currency mining payloads, which began using IE exploits last year, has evolved into payloads in JPEG and PNG images through shorthand technology and WAV media format flash exploits.

2. Retadup:

This is a mining worm that infects more than 850,000 crypto-currencies and was removed in August after the French National Gendarmerie Cyber ​​Crime Center (C3N) controlled the malware command and control server.

Finally, Webroot security analyst Tyler Moffitt said: "There is no doubt that we continue to see cyber-criminals constantly evolving their strategies. Although they may use some of the same malware, they are better off using a lot of stolen Personal information to plan more targeted attacks. Therefore, individuals and organizations need to adopt a layered security approach. While striving to improve the network's flexible security protection capabilities, they must also continue to conduct relevant security training. ""

Reference source : ZDNet


Post a comment